So umm... Best Way to Start Your Own Security Consulting/ Penetration Testing Company

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

So umm... Best Way to Start Your Own Security Consulting/ Penetration Testing Company

Hi guys, so I was browsing around, as I tend to do and the Start Your Own Security Company thread caught my eye. This topic intrests me greatly because I too would someday like to start a small security company. Unfortunatly, NOBODY answered the OPs question in the 4 pages that was the thread before it killed itself. You would think the title had been "Do you think I'm 1337 enough to start a security company?" or something.

Well maybe none of you have any experience in that area(which would be ironic), but if any of you do I would really like to hear some advice or experiences. Successes and failures such as what works, what doesnt... I think this topic is would be a great contribution to the AO community.

SOOOOOOOO... have any of you started your own security company? What scale did you initially start at and what were some of the hurdles in getting up and running. How do you find clients and what measures do you take to protect yourself from liability? What range of services do you offer?

1. You need to have been in the business for a long time.
2. You need to have been a senior consultant in a major consultancy for at least 5 years.
3. You need to be prominent in the industry through seminars, publications and the like.
4. You need a number of similar standing individuals on your team.

Unfortunately ones ability to do the job is relatively unimportant compared to the reputation of the people who get hired. You see a lot of these exercises are CYA (cover your a$$) rather than a true security job. The customer doesn't really care about security, they are just looking for a feel good factor.

Back in the day, it was an old saying that "nobody ever got fired for buying IBM".....................well, the same kind of thing goes for security consultants these days. Sure you might be able to do as good a job, and a hell of a lot cheaper, but trust me when I say that no corporate EVP is going to put his neck on the line, for the sake of saving a few thousand bucks.

It is pretty much the same with external auditors. Small companies deal with small companies and the big boys go to the likes of PriceWaterhouseCoopers.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

I concur with everyone else. Even highly regarded information security experts don't usually start companies on their own. Take Ed Skoudis for example, he is a highly regarded information security professional, author of a few books, and wrote and teaches for SANS. He confounded a company with a few other information security professionals. So I highly doubt you will have much success on your own.

I have had a great deal of laughs about the other thread as I can remember the first time a client handed me a "security audit" completed by a so called security consultant. The so called consultant ran a Nessus scan and then managed to press the print button. He didn't even bother to bind it or anything, just a loose stack of pages presented to the client. If this entertainment keeps up than I am canceling cable.

Until you have worked for a company exclusively conducting security audits under the watchful eye of another professional for at least 3 years, then I wouldn't dream of it.

So umm... Best Way to Start Your Own Security Consulting/ Penetration Testing Company

That is a very specialist and restricted service that would require you competing with a relatively small number of established organisations, much larger than yourself.

A much more feasible approach to starting your own business is to go one level further down and look at the day to day activities of smaller businesses.

This requires understanding business processes and procedures as Morgana~ has suggested.

Other areas such as network design, database design, separation of business functions, data security, disaster recovery and business continuity , authorised usage policies, data protection and so on.

All these areas have security implications but they also have business implications and are far more likely to be understood by the managers/owners of small businesses.

When it comes to financial systems, for example, there is no need for internet connectivity at all. It should be a self contained network and penetration testing should be irrelevant. What matters more is authority levels and checks and balances.

I don't know what things are like in other countries, but over here at least 95% of small business fraud is either the good old fashioned confidence trick, or it is internal (that is most of it). This is a problem that the owners are aware of and will gladly pay for consultancy for.

Sure, the law says that they have to have external auditors to examine their statutory accounts but the smaller companies cannot afford full time internal auditors or security specialists in their IT function.

It is far cheaper for them to hire a local consultancy firm for 12 weeks and then for a two week review every year than to employ a permanent member of staff who would probably get bored to tears and leave fairly quickly.

A contractor would be an alternative, but they come and go and disappear off the face of the earth. A permanently established local consultancy is the ideal solution.

It is also ideal for someone getting started in their own business as the big boys cannot compete (too many overheads) and are not interested in the smaller jobs.

Over time you might be able to concentrate more and more on security, but to begin with it would be prudent to offer a broader range of services and extend your earnings base.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

In the UK you often have to be CLAS or CHECK certified (in addition to CISSP) before you'd get looked at by a large company or public sector. These are government sponsored and you can't buy your way into them (alledgedly).

You could still work for smaller companies who can't (or won't) pay for CHECK teams. Get work and build your reputation that way. Most security companies offer other services such as ISO certifications, forensics etc.

I've found that the best way to go about starting your own business is to first work in the field for another larger company.

1.) Study, test, repeat -- Get some Alphabet soup for the back of your name
2.) Work in industry in excess of 10 years
2 alt) Go to school with a Co-Operative education program RIT places students with PenTesting companies for 3 month periods up to 6 months at a time...
3.) Get hired by a larger firm and gain experience there
4.) THEN think about splitting off and forming your own.

Applications many people use for PenTesting are VERY expensive Think CORE or Immunity's CANVAS although you can pen-test using the standard hacker fare, you should use a multitude of tools and I reccomend you use atleast one of the biggies. I know for sure I'd rather be buying a new Jeep than a seat for a pen-testing program.

But hey, what do I know? I run a computer business building custom computers to a small customer base. It's more a hobby business anyway...